package org.apache.sling.auth.core.impl;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.login.CredentialExpiredException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletRequestEvent;
import javax.servlet.ServletRequestListener;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyOption;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.auth.NoAuthenticationHandlerException;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.AuthConstants;
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.AuthenticationSupport;
import org.apache.sling.auth.core.impl.engine.EngineAuthenticationHandlerHolder;
import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.osgi.framework.AllServiceListener;
import org.osgi.framework.BundleContext;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.framework.ServiceEvent;
import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.event.Event;
import org.osgi.service.event.EventAdmin;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({Authenticator.class, AuthenticationSupport.class, ServletRequestListener.class})
@Component(name = "org.apache.sling.engine.impl.auth.SlingAuthenticator", label = "%auth.name", description = "%auth.description", metatype = true)
@Property(name = "service.vendor", value = {"The Apache Software Foundation"})
/* loaded from: input_file:org/apache/sling/auth/core/impl/SlingAuthenticator.class */
public class SlingAuthenticator implements Authenticator, AuthenticationSupport, ServletRequestListener {

    @Property(name = "service.description")
    static final String DESCRIPTION = "Apache Sling Request Authenticator";
    private static final String DEFAULT_IMPERSONATION_COOKIE = "sling.sudo";

    @Property({DEFAULT_IMPERSONATION_COOKIE})
    public static final String PAR_IMPERSONATION_COOKIE_NAME = "auth.sudo.cookie";
    private static final String DEFAULT_IMPERSONATION_PARAMETER = "sudo";

    @Property({DEFAULT_IMPERSONATION_PARAMETER})
    public static final String PAR_IMPERSONATION_PAR_NAME = "auth.sudo.parameter";
    private static final boolean DEFAULT_ANONYMOUS_ALLOWED = true;

    @Property(boolValue = {true})
    public static final String PAR_ANONYMOUS_ALLOWED = "auth.annonymous";

    @Property(cardinality = Integer.MAX_VALUE)
    private static final String PAR_AUTH_REQ = "sling.auth.requirements";

    @Property
    private static final String PAR_ANONYMOUS_USER = "sling.auth.anonymous.user";

    @Property
    private static final String PAR_ANONYMOUS_PASSWORD = "sling.auth.anonymous.password";
    private static final String HTTP_AUTH_ENABLED = "enabled";
    private static final String HTTP_AUTH_DISABLED = "disabled";
    private static final String HTTP_AUTH_PREEMPTIVE = "preemptive";

    @Property(value = {HTTP_AUTH_PREEMPTIVE}, options = {@PropertyOption(name = HTTP_AUTH_ENABLED, value = "Enabled"), @PropertyOption(name = HTTP_AUTH_PREEMPTIVE, value = "Enabled (Preemptive)"), @PropertyOption(name = HTTP_AUTH_DISABLED, value = "Disabled")})
    private static final String PAR_HTTP_AUTH = "auth.http";
    private static final String DEFAULT_REALM = "Sling (Development)";

    @Property({DEFAULT_REALM})
    public static final String PAR_REALM_NAME = "auth.http.realm";
    private static final String DEFAULT_AUTH_URI_SUFFIX = "/j_security_check";
    private static final String PAR_NEW_PASSWORD = "j_newpassword";

    @Property(value = {DEFAULT_AUTH_URI_SUFFIX}, unbounded = PropertyUnbounded.ARRAY)
    public static final String PAR_AUTH_URI_SUFFIX = "auth.uri.suffix";
    private static final String AUTH_INFO_PROP_FEEDBACK_HANDLER = "$$sling.auth.AuthenticationFeedbackHandler$$";

    @Reference
    private ResourceResolverFactory resourceResolverFactory;
    private String sudoParameterName;
    private String sudoCookieName;
    private boolean cacheControl;
    private String[] authUriSuffices;
    private String anonUser;
    private char[] anonPassword;
    private HttpBasicAuthenticationHandler httpBasicHandler;
    private ServiceRegistration webConsolePlugin;
    private SlingAuthenticatorServiceListener serviceListener;
    private ServiceTracker authHandlerTracker;
    private ServiceTracker engineAuthHandlerTracker;
    private ServiceTracker authInfoPostProcessorTracker;

    @Reference(policy = ReferencePolicy.DYNAMIC)
    private volatile EventAdmin eventAdmin;
    private final Logger log = LoggerFactory.getLogger(SlingAuthenticator.class);
    private PathBasedHolderCache<AbstractAuthenticationHandlerHolder> authHandlerCache = new PathBasedHolderCache<>();
    PathBasedHolderCache<AuthenticationRequirementHolder> authRequiredCache = new PathBasedHolderCache<>();

    /* loaded from: input_file:org/apache/sling/auth/core/impl/SlingAuthenticator$AuthenticationHandlerTracker.class */
    private static class AuthenticationHandlerTracker extends ServiceTracker {
        private final PathBasedHolderCache<AbstractAuthenticationHandlerHolder> authHandlerCache;
        private final HashMap<Object, AbstractAuthenticationHandlerHolder[]> handlerMap;

        AuthenticationHandlerTracker(BundleContext bundleContext, PathBasedHolderCache<AbstractAuthenticationHandlerHolder> pathBasedHolderCache) {
            this(bundleContext, AuthenticationHandler.SERVICE_NAME, pathBasedHolderCache);
        }

        protected AuthenticationHandlerTracker(BundleContext bundleContext, String str, PathBasedHolderCache<AbstractAuthenticationHandlerHolder> pathBasedHolderCache) {
            super(bundleContext, str, (ServiceTrackerCustomizer) null);
            this.handlerMap = new HashMap<>();
            this.authHandlerCache = pathBasedHolderCache;
            open();
        }

        public Object addingService(ServiceReference serviceReference) {
            Object addingService = super.addingService(serviceReference);
            if (addingService != null) {
                bindAuthHandler(addingService, serviceReference);
            }
            return addingService;
        }

        public void modifiedService(ServiceReference serviceReference, Object obj) {
            unbindAuthHandler(serviceReference);
            if (obj != null) {
                bindAuthHandler(obj, serviceReference);
            }
        }

        public void removedService(ServiceReference serviceReference, Object obj) {
            unbindAuthHandler(serviceReference);
            super.removedService(serviceReference, obj);
        }

        protected AbstractAuthenticationHandlerHolder createHolder(String str, Object obj, ServiceReference serviceReference) {
            return new AuthenticationHandlerHolder(str, (AuthenticationHandler) obj, serviceReference);
        }

        private void bindAuthHandler(Object obj, ServiceReference serviceReference) {
            String[] stringArray = OsgiUtil.toStringArray(serviceReference.getProperty("path"));
            if (stringArray == null || stringArray.length <= 0) {
                return;
            }
            ArrayList arrayList = new ArrayList();
            int length = stringArray.length;
            for (int i = 0; i < length; i += SlingAuthenticator.DEFAULT_ANONYMOUS_ALLOWED) {
                String str = stringArray[i];
                if (str != null && str.length() > 0) {
                    arrayList.add(createHolder(str, obj, serviceReference));
                }
            }
            AbstractAuthenticationHandlerHolder[] abstractAuthenticationHandlerHolderArr = (AbstractAuthenticationHandlerHolder[]) arrayList.toArray(new AbstractAuthenticationHandlerHolder[arrayList.size()]);
            int length2 = abstractAuthenticationHandlerHolderArr.length;
            for (int i2 = 0; i2 < length2; i2 += SlingAuthenticator.DEFAULT_ANONYMOUS_ALLOWED) {
                this.authHandlerCache.addHolder(abstractAuthenticationHandlerHolderArr[i2]);
            }
            synchronized (this.handlerMap) {
                this.handlerMap.put(serviceReference.getProperty("service.id"), abstractAuthenticationHandlerHolderArr);
            }
        }

        private void unbindAuthHandler(ServiceReference serviceReference) {
            AbstractAuthenticationHandlerHolder[] remove;
            synchronized (this.handlerMap) {
                remove = this.handlerMap.remove(serviceReference.getProperty("service.id"));
            }
            if (remove != null) {
                int length = remove.length;
                for (int i = 0; i < length; i += SlingAuthenticator.DEFAULT_ANONYMOUS_ALLOWED) {
                    this.authHandlerCache.removeHolder(remove[i]);
                }
            }
        }
    }

    /* loaded from: input_file:org/apache/sling/auth/core/impl/SlingAuthenticator$EngineAuthenticationHandlerTracker.class */
    private static class EngineAuthenticationHandlerTracker extends AuthenticationHandlerTracker {
        EngineAuthenticationHandlerTracker(BundleContext bundleContext, PathBasedHolderCache<AbstractAuthenticationHandlerHolder> pathBasedHolderCache) {
            super(bundleContext, "org.apache.sling.engine.auth.AuthenticationHandler", pathBasedHolderCache);
        }

        @Override // org.apache.sling.auth.core.impl.SlingAuthenticator.AuthenticationHandlerTracker
        protected AbstractAuthenticationHandlerHolder createHolder(String str, Object obj, ServiceReference serviceReference) {
            return new EngineAuthenticationHandlerHolder(str, (org.apache.sling.engine.auth.AuthenticationHandler) obj, serviceReference);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sling/auth/core/impl/SlingAuthenticator$SlingAuthenticatorServiceListener.class */
    public static class SlingAuthenticatorServiceListener implements AllServiceListener {
        private final SlingAuthenticator authenticator;
        private final HashMap<Object, AuthenticationRequirementHolder[]> props = new HashMap<>();

        static SlingAuthenticatorServiceListener createListener(BundleContext bundleContext, SlingAuthenticator slingAuthenticator) {
            SlingAuthenticatorServiceListener slingAuthenticatorServiceListener = new SlingAuthenticatorServiceListener(slingAuthenticator);
            try {
                bundleContext.addServiceListener(slingAuthenticatorServiceListener, "(sling.auth.requirements=*)");
                ServiceReference[] allServiceReferences = bundleContext.getAllServiceReferences((String) null, "(sling.auth.requirements=*)");
                if (allServiceReferences != null) {
                    int length = allServiceReferences.length;
                    for (int i = 0; i < length; i += SlingAuthenticator.DEFAULT_ANONYMOUS_ALLOWED) {
                        slingAuthenticatorServiceListener.addService(allServiceReferences[i]);
                    }
                }
                return slingAuthenticatorServiceListener;
            } catch (InvalidSyntaxException e) {
                return null;
            }
        }

        private SlingAuthenticatorServiceListener(SlingAuthenticator slingAuthenticator) {
            this.authenticator = slingAuthenticator;
        }

        public void serviceChanged(ServiceEvent serviceEvent) {
            synchronized (this.props) {
                if ((serviceEvent.getType() & 14) != 0) {
                    removeService(serviceEvent.getServiceReference());
                }
                if ((serviceEvent.getType() & 3) != 0) {
                    addService(serviceEvent.getServiceReference());
                }
            }
        }

        void registerServices() {
            AuthenticationRequirementHolder[][] authenticationRequirementHolderArr = (AuthenticationRequirementHolder[][]) this.props.values().toArray(new AuthenticationRequirementHolder[this.props.size()]);
            int length = authenticationRequirementHolderArr.length;
            for (int i = 0; i < length; i += SlingAuthenticator.DEFAULT_ANONYMOUS_ALLOWED) {
                registerService(authenticationRequirementHolderArr[i]);
            }
        }

        private void registerService(AuthenticationRequirementHolder[] authenticationRequirementHolderArr) {
            int length = authenticationRequirementHolderArr.length;
            for (int i = 0; i < length; i += SlingAuthenticator.DEFAULT_ANONYMOUS_ALLOWED) {
                this.authenticator.authRequiredCache.addHolder(authenticationRequirementHolderArr[i]);
            }
        }

        private void addService(ServiceReference serviceReference) {
            String[] stringArray = OsgiUtil.toStringArray(serviceReference.getProperty("sling.auth.requirements"));
            ArrayList arrayList = new ArrayList();
            int length = stringArray.length;
            for (int i = 0; i < length; i += SlingAuthenticator.DEFAULT_ANONYMOUS_ALLOWED) {
                String str = stringArray[i];
                if (str != null && str.length() > 0) {
                    arrayList.add(AuthenticationRequirementHolder.fromConfig(str, serviceReference));
                }
            }
            AuthenticationRequirementHolder[] authenticationRequirementHolderArr = (AuthenticationRequirementHolder[]) arrayList.toArray(new AuthenticationRequirementHolder[arrayList.size()]);
            registerService(authenticationRequirementHolderArr);
            this.props.put(serviceReference.getProperty("service.id"), authenticationRequirementHolderArr);
        }

        private void removeService(ServiceReference serviceReference) {
            AuthenticationRequirementHolder[] remove = this.props.remove(serviceReference.getProperty("service.id"));
            if (remove != null) {
                int length = remove.length;
                for (int i = 0; i < length; i += SlingAuthenticator.DEFAULT_ANONYMOUS_ALLOWED) {
                    this.authenticator.authRequiredCache.removeHolder(remove[i]);
                }
            }
        }
    }

    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        modified(map);
        AuthenticatorWebConsolePlugin authenticatorWebConsolePlugin = new AuthenticatorWebConsolePlugin(this);
        Hashtable hashtable = new Hashtable();
        hashtable.put("felix.webconsole.label", authenticatorWebConsolePlugin.getLabel());
        hashtable.put("felix.webconsole.title", authenticatorWebConsolePlugin.getTitle());
        hashtable.put("service.description", "Sling Request Authenticator WebConsole Plugin");
        hashtable.put("service.vendor", map.get("service.vendor"));
        this.webConsolePlugin = bundleContext.registerService("javax.servlet.Servlet", authenticatorWebConsolePlugin, hashtable);
        this.serviceListener = SlingAuthenticatorServiceListener.createListener(bundleContext, this);
        this.authHandlerTracker = new AuthenticationHandlerTracker(bundleContext, this.authHandlerCache);
        this.engineAuthHandlerTracker = new EngineAuthenticationHandlerTracker(bundleContext, this.authHandlerCache);
        this.authInfoPostProcessorTracker = new ServiceTracker(bundleContext, AuthenticationInfoPostProcessor.SERVICE_NAME, (ServiceTrackerCustomizer) null);
        this.authInfoPostProcessorTracker.open();
    }

    @Modified
    private void modified(Map<String, Object> map) {
        String str;
        if (map == null) {
            map = new HashMap();
        }
        String str2 = (String) map.get(PAR_IMPERSONATION_COOKIE_NAME);
        if (str2 == null || str2.length() == 0) {
            str2 = DEFAULT_IMPERSONATION_COOKIE;
        }
        if (!str2.equals(this.sudoCookieName)) {
            this.log.info("modified: Setting new cookie name for impersonation {} (was {})", str2, this.sudoCookieName);
            this.sudoCookieName = str2;
        }
        String str3 = (String) map.get(PAR_IMPERSONATION_PAR_NAME);
        if (str3 == null || str3.length() == 0) {
            str3 = DEFAULT_IMPERSONATION_PARAMETER;
        }
        if (!str3.equals(this.sudoParameterName)) {
            this.log.info("modified: Setting new parameter name for impersonation {} (was {})", str3, this.sudoParameterName);
            this.sudoParameterName = str3;
        }
        this.authRequiredCache.clear();
        boolean z = OsgiUtil.toBoolean(map.get(PAR_ANONYMOUS_ALLOWED), true);
        this.authRequiredCache.addHolder(new AuthenticationRequirementHolder("/", !z, null));
        String[] stringArray = OsgiUtil.toStringArray(map.get("sling.auth.requirements"));
        if (stringArray != null) {
            int length = stringArray.length;
            for (int i = 0; i < length; i += DEFAULT_ANONYMOUS_ALLOWED) {
                String str4 = stringArray[i];
                if (str4 != null && str4.length() > 0) {
                    this.authRequiredCache.addHolder(AuthenticationRequirementHolder.fromConfig(str4, null));
                }
            }
        }
        String osgiUtil = OsgiUtil.toString(map.get(PAR_ANONYMOUS_USER), "");
        if (osgiUtil.length() > 0) {
            this.anonUser = osgiUtil;
            this.anonPassword = OsgiUtil.toString(map.get(PAR_ANONYMOUS_PASSWORD), "").toCharArray();
        } else {
            this.anonUser = null;
            this.anonPassword = null;
        }
        this.authUriSuffices = OsgiUtil.toStringArray(map.get(PAR_AUTH_URI_SUFFIX), new String[]{DEFAULT_AUTH_URI_SUFFIX});
        this.authRequiredCache.addHolder(new AuthenticationRequirementHolder(LoginServlet.SERVLET_PATH, false, null));
        this.authRequiredCache.addHolder(new AuthenticationRequirementHolder(LogoutServlet.SERVLET_PATH, false, null));
        if (this.serviceListener != null) {
            this.serviceListener.registerServices();
        }
        if (z) {
            str = OsgiUtil.toString(map.get(PAR_HTTP_AUTH), HTTP_AUTH_PREEMPTIVE);
        } else {
            str = HTTP_AUTH_ENABLED;
            this.log.debug("modified: Anonymous Access is denied thus HTTP Basic Authentication is fully enabled");
        }
        if (HTTP_AUTH_DISABLED.equals(str)) {
            this.httpBasicHandler = null;
        } else {
            this.httpBasicHandler = new HttpBasicAuthenticationHandler(OsgiUtil.toString(map.get(PAR_REALM_NAME), DEFAULT_REALM), HTTP_AUTH_ENABLED.equals(str));
        }
    }

    @Deactivate
    private void deactivate(BundleContext bundleContext) {
        if (this.engineAuthHandlerTracker != null) {
            this.engineAuthHandlerTracker.close();
            this.engineAuthHandlerTracker = null;
        }
        if (this.authHandlerTracker != null) {
            this.authHandlerTracker.close();
            this.authHandlerTracker = null;
        }
        if (this.serviceListener != null) {
            bundleContext.removeServiceListener(this.serviceListener);
            this.serviceListener = null;
        }
        if (this.webConsolePlugin != null) {
            this.webConsolePlugin.unregister();
            this.webConsolePlugin = null;
        }
    }

    @Override // org.apache.sling.auth.core.AuthenticationSupport
    public boolean handleSecurity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Object attribute = httpServletRequest.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
        if (attribute instanceof ResourceResolver) {
            this.log.debug("handleSecurity: Request already authenticated, nothing to do");
            return true;
        }
        if (attribute != null) {
            this.log.warn("handleSecurity: Overwriting existing ResourceResolver attribute ({})", attribute);
            httpServletRequest.removeAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
        }
        boolean doHandleSecurity = doHandleSecurity(httpServletRequest, httpServletResponse);
        if (!doHandleSecurity || !expectAuthenticationHandler(httpServletRequest)) {
            return doHandleSecurity;
        }
        this.log.warn("handleSecurity: AuthenticationHandler did not block request; access denied");
        httpServletRequest.removeAttribute(AuthenticationHandler.FAILURE_REASON);
        httpServletRequest.removeAttribute(AuthenticationHandler.FAILURE_REASON_CODE);
        AuthUtil.sendInvalid(httpServletRequest, httpServletResponse);
        return false;
    }

    private boolean doHandleSecurity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationInfo authenticationInfo = getAuthenticationInfo(httpServletRequest, httpServletResponse);
        try {
            postProcess(authenticationInfo, httpServletRequest, httpServletResponse);
            if (authenticationInfo == AuthenticationInfo.DOING_AUTH) {
                this.log.debug("doHandleSecurity: ongoing authentication in the handler");
                return false;
            }
            if (authenticationInfo == AuthenticationInfo.FAIL_AUTH) {
                this.log.debug("doHandleSecurity: Credentials present but not valid, request authentication again");
                AuthUtil.setLoginResourceAttribute(httpServletRequest, httpServletRequest.getRequestURI());
                doLogin(httpServletRequest, httpServletResponse);
                return false;
            }
            if (authenticationInfo.getAuthType() == null) {
                this.log.debug("doHandleSecurity: No credentials in the request, anonymous");
                return getAnonymousResolver(httpServletRequest, httpServletResponse, authenticationInfo);
            }
            this.log.debug("doHandleSecurity: Trying to get a session for {}", authenticationInfo.getUser());
            return getResolver(httpServletRequest, httpServletResponse, authenticationInfo);
        } catch (LoginException e) {
            handleLoginFailure(httpServletRequest, httpServletResponse, authenticationInfo.getUser(), e);
            return false;
        }
    }

    public void login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            throw new IllegalStateException("Response already committed");
        }
        Collection<AbstractAuthenticationHandlerHolder>[] findApplicableHolder = this.authHandlerCache.findApplicableHolder(httpServletRequest);
        String handlerSelectionPath = getHandlerSelectionPath(httpServletRequest);
        boolean z = false;
        for (int i = 0; !z && i < findApplicableHolder.length; i += DEFAULT_ANONYMOUS_ALLOWED) {
            Collection<AbstractAuthenticationHandlerHolder> collection = findApplicableHolder[i];
            if (collection != null) {
                for (AbstractAuthenticationHandlerHolder abstractAuthenticationHandlerHolder : collection) {
                    if (handlerSelectionPath.startsWith(abstractAuthenticationHandlerHolder.path)) {
                        this.log.debug("login: requesting authentication using handler: {}", abstractAuthenticationHandlerHolder);
                        try {
                            z = abstractAuthenticationHandlerHolder.requestCredentials(httpServletRequest, httpServletResponse);
                        } catch (IOException e) {
                            this.log.error("login: Failed sending authentication request through handler " + abstractAuthenticationHandlerHolder + ", access forbidden", e);
                            z = DEFAULT_ANONYMOUS_ALLOWED;
                        }
                        if (z) {
                            break;
                        }
                    }
                }
            }
        }
        if (!z && this.httpBasicHandler != null) {
            z = this.httpBasicHandler.requestCredentials(httpServletRequest, httpServletResponse);
        }
        if (z) {
            return;
        }
        int i2 = 0;
        for (int i3 = 0; i3 < findApplicableHolder.length; i3 += DEFAULT_ANONYMOUS_ALLOWED) {
            if (findApplicableHolder[i3] != null) {
                i2 += findApplicableHolder[i3].size();
            }
        }
        this.log.info("login: No handler for request ({} handlers available)", Integer.valueOf(i2));
        throw new NoAuthenticationHandlerException();
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            throw new IllegalStateException("Response already committed");
        }
        setSudoCookie(httpServletRequest, httpServletResponse, new AuthenticationInfo("dummy", httpServletRequest.getRemoteUser()));
        String handlerSelectionPath = getHandlerSelectionPath(httpServletRequest);
        Collection<AbstractAuthenticationHandlerHolder>[] findApplicableHolder = this.authHandlerCache.findApplicableHolder(httpServletRequest);
        for (int i = 0; i < findApplicableHolder.length; i += DEFAULT_ANONYMOUS_ALLOWED) {
            Collection<AbstractAuthenticationHandlerHolder> collection = findApplicableHolder[i];
            if (collection != null) {
                for (AbstractAuthenticationHandlerHolder abstractAuthenticationHandlerHolder : collection) {
                    if (handlerSelectionPath.startsWith(abstractAuthenticationHandlerHolder.path)) {
                        this.log.debug("logout: dropping authentication using handler: {}", abstractAuthenticationHandlerHolder);
                        try {
                            abstractAuthenticationHandlerHolder.dropCredentials(httpServletRequest, httpServletResponse);
                        } catch (IOException e) {
                            this.log.error("logout: Failed dropping authentication through handler " + abstractAuthenticationHandlerHolder, e);
                        }
                    }
                }
            }
        }
        if (this.httpBasicHandler != null) {
            this.httpBasicHandler.dropCredentials(httpServletRequest, httpServletResponse);
        }
        redirectAfterLogout(httpServletRequest, httpServletResponse);
    }

    public void requestInitialized(ServletRequestEvent servletRequestEvent) {
    }

    public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
        ServletRequest servletRequest = servletRequestEvent.getServletRequest();
        Object attribute = servletRequest.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
        if (attribute instanceof ResourceResolver) {
            ((ResourceResolver) attribute).close();
            servletRequest.removeAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, List<String>> getAuthenticationHandler() {
        List<AbstractAuthenticationHandlerHolder> holders = this.authHandlerCache.getHolders();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (AbstractAuthenticationHandlerHolder abstractAuthenticationHandlerHolder : holders) {
            List list = (List) linkedHashMap.get(abstractAuthenticationHandlerHolder.fullPath);
            if (list == null) {
                list = new ArrayList();
                linkedHashMap.put(abstractAuthenticationHandlerHolder.fullPath, list);
            }
            list.add(abstractAuthenticationHandlerHolder.getProvider());
        }
        if (this.httpBasicHandler != null) {
            List list2 = (List) linkedHashMap.get("/");
            if (list2 == null) {
                list2 = new ArrayList();
                linkedHashMap.put("/", list2);
            }
            list2.add(this.httpBasicHandler.toString());
        }
        return linkedHashMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<AuthenticationRequirementHolder> getAuthenticationRequirements() {
        return this.authRequiredCache.getHolders();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getAnonUserName() {
        return this.anonUser;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getSudoCookieName() {
        return this.sudoCookieName;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getSudoParameterName() {
        return this.sudoParameterName;
    }

    private String getPath(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        if (httpServletRequest.getServletPath() != null) {
            sb.append(httpServletRequest.getServletPath());
        }
        if (httpServletRequest.getPathInfo() != null) {
            sb.append(httpServletRequest.getPathInfo());
        }
        return sb.toString();
    }

    private AuthenticationInfo getAuthenticationInfo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationInfo extractCredentials;
        AuthenticationInfo extractCredentials2;
        String path = getPath(httpServletRequest);
        if (path.length() == 0) {
            path = "/";
        }
        Collection<AbstractAuthenticationHandlerHolder>[] findApplicableHolder = this.authHandlerCache.findApplicableHolder(httpServletRequest);
        for (int i = 0; i < findApplicableHolder.length; i += DEFAULT_ANONYMOUS_ALLOWED) {
            Collection<AbstractAuthenticationHandlerHolder> collection = findApplicableHolder[i];
            if (collection != null) {
                for (AbstractAuthenticationHandlerHolder abstractAuthenticationHandlerHolder : collection) {
                    if (path.startsWith(abstractAuthenticationHandlerHolder.path) && (extractCredentials2 = abstractAuthenticationHandlerHolder.extractCredentials(httpServletRequest, httpServletResponse)) != null) {
                        extractCredentials2.put(AUTH_INFO_PROP_FEEDBACK_HANDLER, (Object) abstractAuthenticationHandlerHolder.getFeedbackHandler());
                        return extractCredentials2;
                    }
                }
            }
        }
        if (this.httpBasicHandler == null || (extractCredentials = this.httpBasicHandler.extractCredentials(httpServletRequest, httpServletResponse)) == null) {
            this.log.debug("getAuthenticationInfo: no handler could extract credentials; assuming anonymous");
            return getAnonymousCredentials();
        }
        extractCredentials.put(AUTH_INFO_PROP_FEEDBACK_HANDLER, (Object) this.httpBasicHandler);
        return extractCredentials;
    }

    private void postProcess(AuthenticationInfo authenticationInfo, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws LoginException {
        Object[] services = this.authInfoPostProcessorTracker.getServices();
        if (services != null) {
            int length = services.length;
            for (int i = 0; i < length; i += DEFAULT_ANONYMOUS_ALLOWED) {
                ((AuthenticationInfoPostProcessor) services[i]).postProcess(authenticationInfo, httpServletRequest, httpServletResponse);
            }
        }
    }

    private boolean getResolver(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        AuthenticationFeedbackHandler authenticationFeedbackHandler = (AuthenticationFeedbackHandler) authenticationInfo.remove(AUTH_INFO_PROP_FEEDBACK_HANDLER);
        Object remove = authenticationInfo.remove(AuthConstants.AUTH_INFO_LOGIN);
        try {
            handleImpersonation(httpServletRequest, authenticationInfo);
            handlePasswordChange(httpServletRequest, authenticationInfo);
            ResourceResolver resourceResolver = this.resourceResolverFactory.getResourceResolver(authenticationInfo);
            boolean sudoCookie = setSudoCookie(httpServletRequest, httpServletResponse, authenticationInfo);
            if (remove != null) {
                postLoginEvent(authenticationInfo);
            }
            httpServletRequest.setAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER, resourceResolver);
            boolean z = DEFAULT_ANONYMOUS_ALLOWED;
            if (authenticationFeedbackHandler != null) {
                z = !authenticationFeedbackHandler.authenticationSucceeded(httpServletRequest, httpServletResponse, authenticationInfo);
            }
            if (z) {
                if (AuthUtil.isValidateRequest(httpServletRequest)) {
                    AuthUtil.sendValid(httpServletResponse);
                    z = false;
                } else if (sudoCookie || authenticationFeedbackHandler == null) {
                    z = !DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse);
                }
            }
            if (z) {
                setAttributes(resourceResolver, authenticationInfo.getAuthType(), httpServletRequest);
            } else {
                resourceResolver.close();
            }
            return z;
        } catch (LoginException e) {
            if (authenticationFeedbackHandler != null) {
                authenticationFeedbackHandler.authenticationFailed(httpServletRequest, httpServletResponse, authenticationInfo);
            }
            if (httpServletResponse.isCommitted()) {
                return false;
            }
            return handleLoginFailure(httpServletRequest, httpServletResponse, authenticationInfo.getUser(), e);
        }
    }

    private boolean expectAuthenticationHandler(HttpServletRequest httpServletRequest) {
        if (this.authUriSuffices == null) {
            return false;
        }
        String requestURI = httpServletRequest.getRequestURI();
        String[] strArr = this.authUriSuffices;
        int length = strArr.length;
        for (int i = 0; i < length; i += DEFAULT_ANONYMOUS_ALLOWED) {
            if (requestURI.endsWith(strArr[i])) {
                return true;
            }
        }
        return false;
    }

    private boolean getAnonymousResolver(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        if (!isAnonAllowed(httpServletRequest)) {
            this.log.info("getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials");
            doLogin(httpServletRequest, httpServletResponse);
            return false;
        }
        try {
            ResourceResolver resourceResolver = this.resourceResolverFactory.getResourceResolver(authenticationInfo);
            if (DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse)) {
                resourceResolver.close();
                return false;
            }
            setAttributes(resourceResolver, null, httpServletRequest);
            return true;
        } catch (LoginException e) {
            handleLoginFailure(httpServletRequest, httpServletResponse, "anonymous user", e);
            return false;
        }
    }

    private boolean isAnonAllowed(HttpServletRequest httpServletRequest) {
        String path = getPath(httpServletRequest);
        if (path.length() == 0) {
            return false;
        }
        Collection<AuthenticationRequirementHolder>[] findApplicableHolder = this.authRequiredCache.findApplicableHolder(httpServletRequest);
        for (int i = 0; i < findApplicableHolder.length; i += DEFAULT_ANONYMOUS_ALLOWED) {
            Collection<AuthenticationRequirementHolder> collection = findApplicableHolder[i];
            if (collection != null) {
                for (AuthenticationRequirementHolder authenticationRequirementHolder : collection) {
                    if (path.startsWith(authenticationRequirementHolder.path)) {
                        return !authenticationRequirementHolder.requiresAuthentication();
                    }
                }
            }
        }
        return false;
    }

    private AuthenticationInfo getAnonymousCredentials() {
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(null);
        if (this.anonUser != null) {
            authenticationInfo.setUser(this.anonUser);
            authenticationInfo.setPassword(this.anonPassword);
        }
        return authenticationInfo;
    }

    private boolean handleLoginFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, Exception exc) {
        boolean z = false;
        if (exc.getClass().getName().contains("TooManySessionsException")) {
            this.log.info("handleLoginFailure: Too many sessions for {}: {}", str, exc.getMessage());
            try {
                httpServletResponse.sendError(503, "SlingAuthenticator: Too Many Users");
            } catch (IOException e) {
                this.log.error("handleLoginFailure: Cannot send status 503 to client", e);
            }
        } else if (exc instanceof LoginException) {
            this.log.info("handleLoginFailure: Unable to authenticate {}: {}", str, exc.getMessage());
            if (!isAnonAllowed(httpServletRequest) || expectAuthenticationHandler(httpServletRequest) || AuthUtil.isValidateRequest(httpServletRequest)) {
                if (exc.getCause() instanceof CredentialExpiredException) {
                    httpServletRequest.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED);
                    ensureAttribute(httpServletRequest, AuthenticationHandler.FAILURE_REASON, "Password expired");
                } else {
                    httpServletRequest.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN);
                    ensureAttribute(httpServletRequest, AuthenticationHandler.FAILURE_REASON, "User name and password do not match");
                }
                doLogin(httpServletRequest, httpServletResponse);
            } else {
                this.log.debug("handleLoginFailure: LoginException on an anonymous resource, fallback to getAnonymousResolver");
                z = getAnonymousResolver(httpServletRequest, httpServletResponse, new AuthenticationInfo(null));
            }
        } else {
            this.log.error("handleLoginFailure: Unable to authenticate " + str, exc);
            try {
                httpServletResponse.sendError(500, "SlingAuthenticator: data access error, reason=" + exc.getClass().getSimpleName());
            } catch (IOException e2) {
                this.log.error("handleLoginFailure: Cannot send status 500 to client", e2);
            }
        }
        return z;
    }

    private void doLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!AuthUtil.isValidateRequest(httpServletRequest)) {
            if (AuthUtil.isBrowserRequest(httpServletRequest)) {
                if (!AuthUtil.isAjaxRequest(httpServletRequest) && !isLoginLoop(httpServletRequest)) {
                    try {
                        login(httpServletRequest, httpServletResponse);
                        return;
                    } catch (IllegalStateException e) {
                        this.log.error("doLogin: Cannot login: Response already committed");
                        return;
                    } catch (NoAuthenticationHandlerException e2) {
                        this.log.error("doLogin: Cannot login: No AuthenticationHandler available to handle the request");
                    }
                }
            } else if (this.httpBasicHandler != null) {
                this.httpBasicHandler.sendUnauthorized(httpServletResponse);
                return;
            }
        }
        ensureAttribute(httpServletRequest, AuthenticationHandler.FAILURE_REASON, "Authentication Failed");
        AuthUtil.sendInvalid(httpServletRequest, httpServletResponse);
    }

    private boolean isLoginLoop(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Referer");
        if (header == null) {
            return false;
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append('?').append(httpServletRequest.getQueryString());
        }
        return header.equals(requestURL.toString());
    }

    private void ensureAttribute(HttpServletRequest httpServletRequest, String str, Object obj) {
        if (httpServletRequest.getAttribute(str) == null) {
            httpServletRequest.setAttribute(str, obj);
        }
    }

    private void setAttributes(ResourceResolver resourceResolver, String str, HttpServletRequest httpServletRequest) {
        httpServletRequest.setAttribute("org.osgi.service.http.authentication.remote.user", resourceResolver.getUserID());
        httpServletRequest.setAttribute("org.osgi.service.http.authentication.type", str);
        httpServletRequest.setAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER, resourceResolver);
        this.log.debug("setAttributes: ResourceResolver stored as request attribute: user={}", resourceResolver.getUserID());
    }

    private void sendSudoCookie(HttpServletResponse httpServletResponse, String str, int i, String str2, String str3) {
        try {
            String quoteCookieValue = quoteCookieValue(str);
            if (quoteCookieValue != null) {
                Cookie cookie = new Cookie(this.sudoCookieName, quoteCookieValue);
                cookie.setMaxAge(i);
                cookie.setPath((str2 == null || str2.length() == 0) ? "/" : str2);
                try {
                    cookie.setComment(str3 + " impersonates as " + str);
                } catch (IllegalArgumentException e) {
                }
                httpServletResponse.addCookie(cookie);
                if (this.cacheControl) {
                    httpServletResponse.addHeader("Cache-Control", "no-cache=\"Set-Cookie\"");
                }
            }
        } catch (IllegalArgumentException e2) {
            this.log.error("sendSudoCookie: Failed to quote value '{}' of cookie {}: {}", new Object[]{str, this.sudoCookieName, e2.getMessage()});
        }
    }

    private void handleImpersonation(HttpServletRequest httpServletRequest, AuthenticationInfo authenticationInfo) {
        String sudoCookieValue = getSudoCookieValue(httpServletRequest);
        String parameter = httpServletRequest.getParameter(this.sudoParameterName);
        if (parameter == null || parameter.length() == 0) {
            parameter = sudoCookieValue;
        } else if ("-".equals(parameter)) {
            parameter = null;
        }
        if (parameter == null || parameter.length() <= 0) {
            return;
        }
        authenticationInfo.put("user.impersonation", (Object) parameter);
    }

    private void handlePasswordChange(HttpServletRequest httpServletRequest, AuthenticationInfo authenticationInfo) {
        String parameter = httpServletRequest.getParameter(PAR_NEW_PASSWORD);
        if (parameter == null || parameter.length() <= 0) {
            return;
        }
        authenticationInfo.put("user.newpassword", (Object) parameter);
    }

    private String getSudoCookieValue(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (int i = 0; str == null && i < cookies.length; i += DEFAULT_ANONYMOUS_ALLOWED) {
                if (this.sudoCookieName.equals(cookies[i].getName())) {
                    str = unquoteCookieValue(cookies[i].getValue());
                }
            }
        }
        return str;
    }

    private boolean setSudoCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        String str = (String) authenticationInfo.get("user.impersonation");
        String sudoCookieValue = getSudoCookieValue(httpServletRequest);
        boolean z = str != sudoCookieValue;
        if (z) {
            if (str == null) {
                sendSudoCookie(httpServletResponse, "", 0, httpServletRequest.getContextPath(), authenticationInfo.getUser());
            } else if (sudoCookieValue == null || !sudoCookieValue.equals(str)) {
                sendSudoCookie(httpServletResponse, str, -1, httpServletRequest.getContextPath(), str);
            }
        }
        return z;
    }

    private String getHandlerSelectionPath(HttpServletRequest httpServletRequest) {
        String pathInfo;
        Object attribute = httpServletRequest.getAttribute("resource");
        if (attribute instanceof String) {
            pathInfo = (String) attribute;
            String contextPath = httpServletRequest.getContextPath();
            if (contextPath != null && pathInfo.startsWith(contextPath)) {
                pathInfo = pathInfo.substring(contextPath.length());
            }
        } else {
            pathInfo = httpServletRequest.getPathInfo();
        }
        if (pathInfo == null || pathInfo.length() == 0) {
            pathInfo = "/";
        }
        return pathInfo;
    }

    private void redirectAfterLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            this.log.debug("redirectAfterLogout: Response has already been committed, not redirecting");
            return;
        }
        String loginResource = AuthUtil.getLoginResource(httpServletRequest, httpServletRequest.getContextPath());
        if (!AuthUtil.isRedirectValid(httpServletRequest, loginResource)) {
            this.log.warn("redirectAfterLogout: Desired redirect target '{}' is invalid; redirecting to '/'", loginResource);
            loginResource = "/";
        }
        try {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + loginResource);
        } catch (IOException e) {
            this.log.error("Failed to redirect to the page: " + loginResource, e);
        }
    }

    private void postLoginEvent(AuthenticationInfo authenticationInfo) {
        Hashtable hashtable = new Hashtable();
        hashtable.put("userid", authenticationInfo.getUser());
        hashtable.put(AuthenticationInfo.AUTH_TYPE, authenticationInfo.getAuthType());
        EventAdmin eventAdmin = this.eventAdmin;
        if (eventAdmin != null) {
            eventAdmin.postEvent(new Event(AuthConstants.TOPIC_LOGIN, hashtable));
        }
    }

    static String quoteCookieValue(String str) {
        if (str == null) {
            throw new IllegalArgumentException("Cookie value may not be null");
        }
        StringBuilder sb = new StringBuilder(str.length() * 2);
        sb.append('\"');
        for (int i = 0; i < str.length(); i += DEFAULT_ANONYMOUS_ALLOWED) {
            char charAt = str.charAt(i);
            if (charAt == '\"') {
                sb.append("\\\"");
            } else {
                if (charAt == 127 || (charAt < ' ' && charAt != '\t')) {
                    throw new IllegalArgumentException("Cookie value may not contain CTL character");
                }
                sb.append(charAt);
            }
        }
        sb.append('\"');
        return sb.toString();
    }

    static String unquoteCookieValue(String str) {
        if (str == null || str.length() == 0 || str.charAt(0) != '\"') {
            return str;
        }
        StringBuilder sb = new StringBuilder(str.length());
        for (int i = DEFAULT_ANONYMOUS_ALLOWED; i < str.length() - DEFAULT_ANONYMOUS_ALLOWED; i += DEFAULT_ANONYMOUS_ALLOWED) {
            char charAt = str.charAt(i);
            if (charAt != '\\') {
                sb.append(charAt);
            }
        }
        return sb.toString();
    }

    protected void bindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resourceResolverFactory = resourceResolverFactory;
    }

    protected void unbindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resourceResolverFactory == resourceResolverFactory) {
            this.resourceResolverFactory = null;
        }
    }

    protected void bindEventAdmin(EventAdmin eventAdmin) {
        this.eventAdmin = eventAdmin;
    }

    protected void unbindEventAdmin(EventAdmin eventAdmin) {
        if (this.eventAdmin == eventAdmin) {
            this.eventAdmin = null;
        }
    }
}
